The Distributed Denial of Service (DDoS) attack is becoming the crowbar of the online criminal. In the past we have got rather used to DDoS attacks being one of the favoured approaches of hacktivists, with perhaps the Low Orbit Ion Cannon (LOIC) and later the High Orbit Ion Cannon (HOIC) as used by Anonymous to take down sites being the best known examples. However, recent evidence suggests that taking down a site is increasingly no longer the be all and end all of a DDoS attack, instead it's just a means to a much more profitable end.
A couple of weeks ago I reported how a Bitcoin bank robbery took place under the smokescreen of a DDoS attack. I've now learned that a DDoS attack on another Bitcoin-related site, the Bitcointalk.org online forum, could also have been implemented as a smokescreen tactic. Information Week reports the site was actually targeted for a password-stealing exercise with some 176,584 users login credentials at risk.
Indeed, as TK Keanini (CTO at Lancope) points out there is an established marketplace out there selling the DDoS capability to anyone with the cash, and relatively little of it is needed to attack a smaller company, so the bad guys don't even need a DDoS strike capability as a core competency any more. "It is almost always the case these days that DDoS attacks leverage blended methods, where the volumetric technique is included, but not the primary objective" Keanini says, adding "this is a sign of what is to come in 2014 as more adversaries just put together a multi faceted compostable attack and instead of having to have all this expertise in-house, they will be able to outsource via these marketplaces that sell these capabilities."
Jag Bains, CTO at DDoS mitigation experts DOSarrest says that his company has been seeing DDoS attacks sending huge amounts of traffic to a website to overwhelm key points in its infrastructure to send the security team scrambling to fight it off as something of a trend. "This serves as a distraction for the security personnel and aims to weaken the underlying infrastructure" Bains explains "once the security operations are no longer cohesive, criminals can use other methods to target intrusion prevention systems to get in and steal information". All of which just goes to reinforce that maintaining the focus of core operations during a DDoS attack is an ever increasing problem for IT operations. "As DDoS continues to be used as part of a 1-2 punch in cybercrime and data theft attempts" Bains concludes "IT professionals have become stressed in keeping up with the ever increasing size and sophistication of DDoS attacks". All of which can influence an organisation to resort to what you might call non-standard, or panicked, practices to deal with the ongoing attack. Things such as disabling their IDS platform for example. Things that further compromise the overall security of the network and enable the attackers to pull off the primary attack with ease.